8.8
CVE-2026-43187
- EPSS 0.47%
- Veröffentlicht 06.05.2026 11:27:57
- Zuletzt bearbeitet 11.05.2026 20:38:50
- Quelle 416baaa9-dc9f-4396-8d5f-8c081f
- CVE-Watchlists
- Unerledigt
xfs: delete attr leaf freemap entries when empty
In the Linux kernel, the following vulnerability has been resolved:
xfs: delete attr leaf freemap entries when empty
Back in commit 2a2b5932db6758 ("xfs: fix attr leaf header freemap.size
underflow"), Brian Foster observed that it's possible for a small
freemap at the end of the end of the xattr entries array to experience
a size underflow when subtracting the space consumed by an expansion of
the entries array. There are only three freemap entries, which means
that it is not a complete index of all free space in the leaf block.
This code can leave behind a zero-length freemap entry with a nonzero
base. Subsequent setxattr operations can increase the base up to the
point that it overlaps with another freemap entry. This isn't in and of
itself a problem because the code in _leaf_add that finds free space
ignores any freemap entry with zero size.
However, there's another bug in the freemap update code in _leaf_add,
which is that it fails to update a freemap entry that begins midway
through the xattr entry that was just appended to the array. That can
result in the freemap containing two entries with the same base but
different sizes (0 for the "pushed-up" entry, nonzero for the entry
that's actually tracking free space). A subsequent _leaf_add can then
allocate xattr namevalue entries on top of the entries array, leading to
data loss. But fixing that is for later.
For now, eliminate the possibility of confusion by zeroing out the base
of any freemap entry that has zero size. Because the freemap is not
intended to be a complete index of free space, a subsequent failure to
find any free space for a new xattr will trigger block compaction, which
regenerates the freemap.
It looks like this bug has been in the codebase for quite a long time.Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Linux ≫ Linux Kernel Version >= 2.6.12.1 < 5.10.252
Linux ≫ Linux Kernel Version >= 5.11 < 5.15.202
Linux ≫ Linux Kernel Version >= 5.16 < 6.1.165
Linux ≫ Linux Kernel Version >= 6.2 < 6.6.128
Linux ≫ Linux Kernel Version >= 6.7 < 6.12.75
Linux ≫ Linux Kernel Version >= 6.13 < 6.18.16
Linux ≫ Linux Kernel Version >= 6.19 < 6.19.6
Linux ≫ Linux Kernel Version2.6.12 Update-
Linux ≫ Linux Kernel Version2.6.12 Updaterc2
Linux ≫ Linux Kernel Version2.6.12 Updaterc3
Linux ≫ Linux Kernel Version2.6.12 Updaterc4
Linux ≫ Linux Kernel Version2.6.12 Updaterc5
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.47% | 0.368 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
CWE-191 Integer Underflow (Wrap or Wraparound)
The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.
https://git.kernel.org/stable/c/f3c0d1fc1eadbb4adbee5ab7757d41d35f48325b
https://git.kernel.org/stable/c/aa9083d97e2157da3c6fb45ddb1a97af7f188f7f
https://git.kernel.org/stable/c/a631899025d47ea1aa6464d76db5b4d3b6d196fd
https://git.kernel.org/stable/c/ffaf5c99d0f862db021fb1af8b813c1416b1beb2
https://git.kernel.org/stable/c/e1b8c6452ee99a30e188a88f3f3f804fb1c6004a
https://git.kernel.org/stable/c/f31a8334e1c54b126fcecf98645a49b6bc5ad399
https://git.kernel.org/stable/c/479b05fc3ee272090f671b06a41f3da8aa78eece
https://git.kernel.org/stable/c/6f13c1d2a6271c2e73226864a0e83de2770b6f34